Re: [PATCH] Audit filter rule operators (1/2)

From: Amy Griffis <amy griffis hp com>

To: linux-audit redhat com

Subject: Re: [PATCH] Audit filter rule operators (1/2)

Date: Tue, 25 Oct 2005 07:59:52 -0400

Hi Dustin,
On Fri, Oct 21, 2005 at 06:24:20PM -0500, Dustin Kirkland wrote:
> This is the user space component of this patch.
>
> This patch basically modifies the manner in which the field/value pairs
> are split. Previously, the code simply split on "=" and flipped a bit
> if there was a "!" just before the "=".
>
> I had to make this a bit smarter, and I think I did it cleanly using
> strstr(). Each of the six operators (!=, >=, <=, =, >, <) are searched
> for in the string until one "hits". Note that the 2-character
> comparators are searched for first (for obvious reasons).
>
> When there's a hit, the comparator bytes are overwritten with the null
> byte to split the string, and the "f" and "v" (field and value,
> respectively) pointers are set appropriately, as well as the "op"
> variable, which is the bitmask of the corresponding comparator.
>
> This op bitmask is OR'd with the field and netlink goes about passing
> this information just as it previously did.
>
> Note that I also constructed the symbol translation table, which is
> useful to convert the operator bitmask constants back to their prettier
> symbols (for error reporting as below).
How about translating the operator bits to symbols in
audit_print_rules() as well?
> My only concern is that *f and *v were const before, but now I'm
> modifying them, overwriting the operator bytes. I suppose I could
> strdup() this and work on that. Let me know if that's preferred.
>
> Comments welcome.
>
> :-Dustin